For healthcare leaders trying to read the regulatory tea leaves, the honest answer in spring 2026 is this: the rules are not final, but the expectations haven’t gone away.
There’s a particular kind of frustration that healthcare IT and compliance officers know well: the kind that comes from being asked to prepare for something that may or may not happen, on a timeline that keeps shifting, under cost assumptions that bear no relationship to reality. That’s the situation right now with federal healthcare cybersecurity regulation, and if you’ve been getting emails from vendors suggesting you’re already out of compliance with new HIPAA security rules, you should know: you’re not. Not yet. Maybe not ever, at least not in the form currently proposed.
Here’s what’s actually happening.
The HIPAA Security Rule NPRM: Still Proposed, But Not Going Away
In the final days of the Biden administration — January 2025 — HHS published a 125-page Notice of Proposed Rulemaking to significantly update the HIPAA Security Rule, its first major overhaul since 2003. The proposal would eliminate the long-standing distinction between “required” and “addressable” implementation specifications, making nearly all of them mandatory, and require written documentation for all security policies, procedures, plans, and analyses. It landed with a $9 billion estimated first-year price tag that much of the industry considered wildly optimistic.
More than 4,700 public comments later, the Trump administration still hasn’t decided what to do with it.
Speaking at the virtual HIPAA Summit in early April, Paula Stannard, director of HHS’s Office for Civil Rights, acknowledged the complaints — and pushed back on the idea that inaction is the safer path.
“I want to encourage you not to overlook the very high cost of doing nothing,” she said. “A successful cyberattack can cost far more in terms of reputation — the need to pay ransom, remediation of your systems, protection for those whose protected health information was accessed, potential civil liability — and investors knocking at your door asking for documents and initiating an investigation.”
-Paula Stannard, Director HHS Office for Civil Rights
Her comments signaled that this proposal is not heading for the trash bin.
“I can’t say much about what we will end up doing on it,” Stannard said, “and after we review the comments, the Trump administration may have a different view on the burdens and benefits of the proposed changes.”
But she stopped well short of endorsing rescission.
Stannard also made a pointed observation about what the current rule’s flexibility has actually produced. The existing Security Rule allows regulated entities to treat “addressable” specifications (including encryption) as discretionary.
“In practice, regulated entities, especially small and medium-sized entities, have treated addressable implementation specifications as optional, and this means that they have not done it,” she said. “This has resulted in much more lax security.”
The argument for preserving that flexibility, in her view, is harder to make in 2026 than it was when the rule was first written in 2003.
A final action is still listed for May on HHS OCR’s regulatory agenda, though federal agencies routinely extend those deadlines, and the next agenda update is expected shortly.
CHIME, the College of Healthcare Information Management Executives, has been among the most vocal opponents. The organization submitted public comments, co-led a stakeholder letter to HHS and the White House requesting rescission, and argues the administration’s cost estimates dramatically understate the real burden, particularly for under-resourced providers.
So, what is OCR focusing on?
OCR’s New Focus: Risk Management, Not Just Risk Analysis
On April 8th, OCR’s Senior Advisor for Cybersecurity Nick Heesters released a guidance video that every HIPAA-regulated entity should watch. In it, he makes clear that the agency has formally expanded its enforcement initiative beyond risk analysis to include risk management: what organizations actually do about the risks they find. If you take one thing from OCR’s recent activity, it’s this: knowing your risks is no longer enough. Acting on them is now what the agency is enforcing.
The pattern OCR keeps finding isn’t organizations that don’t know their risks. It’s organizations that document them, and then do nothing. In investigation after investigation, OCR has found the same vulnerabilities appearing in security reviews year after year, unmitigated, until they were finally exploited.
“Failing to take action to mitigate risks or implementing security measures that do not sufficiently reduce risks to a reasonable and appropriate level is something OCR discovers frequently,” Heesters said.
The breach data explains why OCR is pressing this. In 2024, large HIPAA breaches affected more than 286 million individuals. In 2025, 76% of large breaches were caused by hacking and IT incidents. These are not surprises — they are, in OCR’s framing, “reasonably anticipated” threats that obligate regulated entities to act.
One more thing to understand about the legal standard: policies and written plans are not enough.
“Policies and procedures alone are not sufficient evidence of security measure implementation,” Heesters said. OCR wants to see that identified risks drove real decisions — configurations changed, controls validated, measures actually in place. The question regulators are now asking isn’t just “did you find the risks?” It’s “what did you do about them, and can you prove it?”
Organizations that fall short face a finding of willful neglect (the most serious HIPAA violation category) carrying penalties of $73,011 per day, per violation.
What to Do Right Now: Build a Program, Not a Checklist
The regulatory picture may be unsettled, but the operational imperative isn’t. Whether the NPRM is finalized, revised, or rescinded, OCR is actively enforcing the rules that exist today — and the bar it’s applying is whether your organization has a functioning, continuous risk management program. Not a point-in-time assessment. Not a binder of policies. A living program.
That starts with knowing your assets. You cannot manage risk to electronic protected health information you haven’t fully accounted for. Every system, application, device, and data flow that touches ePHI needs to be in scope — including the ones that have been quietly accumulating through acquisitions, new vendors, and technology changes. Gaps in asset inventory are gaps in your risk picture, and gaps in your risk picture are exactly what OCR finds when things go wrong.
From there, the risk analysis has to be thorough and honest. Federally recognized frameworks (NIST CSF 2.0, NIST SP 800-66, and the HHS 405(d) Health Industry Cybersecurity Practices) exist precisely to give organizations a structured, defensible methodology for this work. They don’t prescribe a single path, but they provide the architecture for one. Using them isn’t just good security hygiene; it’s the kind of documented, principled approach that holds up under regulatory scrutiny.
But the analysis is only the beginning. What OCR is now demanding (and what the breach data makes painfully clear is necessary) is that identified risks are actually managed over time. That means prioritizing findings, implementing controls, validating that they work, and revisiting the program as your environment changes. New technology, new vendors, new threats: each one is a reason to update your risk picture, not a reason to wait for the next scheduled assessment.
Done well, this isn’t just a compliance exercise. It’s the foundation of operational resilience: the difference between an organization that discovers a vulnerability in a review and one that discovers it in a breach notification.
Healthcare organizations carry a profound responsibility to the patients they serve. A continuous, enterprise-wide risk management program is how you fulfill that responsibility and demonstrate, credibly, that you’ve done everything in your power to protect them.
The good news is the frameworks are there, the guidance is clear, and OCR has been remarkably transparent about exactly what it’s looking for. The work is hard, but it isn’t mysterious.
Have Questions? Clearwater Can Help.
Clearwater has spent two decades helping healthcare organizations build the kind of enterprise-class risk management programs that hold up under OCR scrutiny, and in every OCR investigation involving a Clearwater risk analysis, the outcome has been successful. Whether you’re starting from scratch, pressure-testing an existing program, or trying to make sense of a shifting regulatory landscape, our team is here. Contact us- https://clearwatersecurity.com/contact/
